24. Stadium ACL Test Plan.pdf

Viewer
Transcript

Testing ACLs Test Plan

Start Date Network Build (Setup) Testing Date

End Date

Table of Contents ATTENDEES

3

INTRODUCTION

4

EQUIPMENT

4

DESIGN AND TOPOLOGY DIAGRAM

5

TEST 1. DESCRIPTION: ACCESS CONTROL LISTS TEST

7

TEST 1. PROCEDURES:

8

TEST 1. EXPECTED RESULTS AND SUCCESS CRITERIA:

8

TEST 1. CONCLUSIONS

9

APPENDIX

10

Attendees Name

Company

Position

Introduction An introduction to the testing explaining briefly what the purpose of the test is, and what should be observed. Include a brief description of testing goals. List all tests you intend to run. For example: The purpose of this test plan is to add access control lists to the prototype network to secure unauthorized access to the server farm and to demonstrate that the access control lists are configured correctly. This revised prototype network is used to test various aspects of the proposed design. •

Test 1: Access Control Lists Test •

Verify full connectivity from all PCs to all servers.

•

Plan access control lists to prevent unauthorized access to the server farm.

•

Configure access control lists on Distribution Layer devices and apply them to the proper interfaces in the proper direction.

•

Verify proper operation of the access control lists by verifying that permitted traffic gets through to the servers and unauthorized traffic is blocked.

Equipment List all of the equipment needed to perform the tests. Be sure to include cables, optional connectors or components, and software. Qty. Req

Model

5

2960 Layer 2 switch 1841 ISR routers with 2 FastEthernet ports and 2 Serial ports Personal Computer enddevices Personal Computer Server Cat 5 or above straightthrough patch cables. Cat 5 or above cross-over patch cables V.35 DTE Serial Cables V.35 DCE Serial Cables

5

3

6

12

6

5 5

Any additional options or software required

Substitute

IOS Software Rev.

Any 2950 or 2960 model switch Any multilayer switch or router with minimum 2 FastEthernet ports and two serial port.

12.2 or above

Windows, MAC or Linux operating system.

FastEthernet NIC

At least one PC and any other IP end-device (camera, printer, etc.) Any PC with web server and DNS software loaded

none

none

n/a

none

none

n/a

None

None

n/a

None

None

n/a

none none

FastEthernet NIC

12.2 or above

Windows, MAC, or Linux operating system

Design and Topology Diagram Place a copy of the prototype network topology in this section. This is the network as it should be built to be able to perform the required tests. If this topology duplicates a section of the actual network, include a reference topology showing the location within the existing or planned network. Initial configurations for each device must be included in the Appendix.

Addressing Table

Device Designation

Interface

IP Address

Subnet mask

Gateway

R1

Fa0/0.1

172.18.2.1

255.255.255.0

N/A

R1

Fa0/0.21

172.18.21.1

255.255.255.0

N/A

R1

Fa0/0.22

172.18.22.1

255.255.255.0

N/A

R1

Fa0/0.23

172.18.23.1

255.255.255.0

N/A

R1

Fa0/1

172.18.0.17

255.255.255.252

N/A

R1

S0/1/0 * DTE

172.18.0.13

255.255.255.252

N/A

R1

S0/1/1 * DCE

172.18.0.25

255.255.255.252

N/A

R2

Fa0/0.1

172.18.2.2

255.255.255.0

N/A

R2

Fa0/0.21

172.18.21.2

255.255.255.0

N/A

R2

Fa0/0.22

172.18.22.2

255.255.255.0

N/A

R2

Fa0/0.23

172.18.23.2

255.255.255.0

N/A

R2

Fa0/1

172.18.0.21

255.255.255.252

N/A

R2

S0/1/0 * DTE

172.18.0.10

255.255.255.252

N/A

R2

S0/1/1 * DTE

172.18.0.26

255.255.255.252

N/A

R3

Fa0/0

172.18.0.18

255.255.255.252

N/A

R3

S0/1/0 * DTE

172.18.0.1

255.255.255.252

N/A

R3

S0/1/1 * DCE

172.18.0.9

255.255.255.252

N/A

R4

Fa0/0

172.18.0.22

255.255.255.252

N/A

R4

S0/1/0 * DTE

172.18.0.5

255.255.255.252

N/A

R4

S0/1/1 * DCE

172.18.0.14

255.255.255.252

N/A

R5

Fa0/0

172.18.1.1

255.255.255.0

N/A

R5

S0/1/0 * DCE

172.18.0.2

255.255.255.252

N/A

R5

S0/1/1 * DCE

172.18.0.6

255.255.255.252

N/A

S1

VLAN1

172.18.2.3

255.255.255.0

172.18.2.1

S2

VLAN1

172.18.2.4

255.255.255.0

172.18.2.1

S3

VLAN1

172.18.2.5

255.255.255.0

172.18.2.1

S4

VLAN1

172.18.2.6

255.255.255.0

172.18.2.1

S5

VLAN1

172.18.1.2

255.255.255.0

172.18.1.1

PC1

172.18.23.10

255.255.255.0

172.18.23.1

PC2

172.18.1.10

255.255.255.0

172.18.1.1

PC3

172.18.1.11

255.255.255.0

172.18.1.1

Web 1A

172.18.21.3

255.255.255.0

172.18.21.1

Web 1B

172.18.21.4

255.255.255.0

172.18.21.2

DNS A

172.18.22.3

255.255.255.0

172.18.22.1

DNS B

172.18.22.4

255.255.255.0

172.18.22.2

Web 2A

172.18.23.3

255.255.255.0

172.18.23.1

Web 2B

172.18.23.4

255.255.255.0

172.18.23.2

Figure 1: Topology - Prototype test topology. Add a description about this design here that is essential to provide a better understanding of the testing or to emphasize any aspect of the test network to the reader.

For each test to be performed state the goals of the test, the data to record during the test, and the estimated time to perform the test.

Test 1. Description: Access Control Lists Test Goals of Test: The goal of the test is to verify that access control lists are properly configured and applied to permit authorized traffic and to block unauthorized traffic.

Data to Record: Configurations Router configurations ACL information Ping Test Output Web page access information

Estimated Time: 120 minutes

Test 1. Procedures: Itemize the procedures to follow to perform the test. Step 1: Verify full connectivity from all PCs to all servers. 1. From PC1 and PC2 ping all of the servers in the topology. Record the results. 2. From PC1 and PC2 access the following web pages: www.web1a.com, www.web1b.com, www.web2a.com, and www.web2b.com. Record the results. 3. From PC2, ping the Fa0/1 interface of routers R1 and R2 to verify connectivity and then telnet to routers R1 and R2 and get the “show running-config” output. Copy and paste the results into a document for later use. Step 2: Plan access control lists to prevent unauthorized access to the server farm. 1. Design an access control list numbered 101 to allow only web access from hosts on the internal network, 172.18.0.0/16, to any device and deny all other traffic. Design an access control list numbered 102 to allow only DNS access from hosts on the internal network, 172.18.0.0/16, to any device and deny all other traffic. Step 3: Configure and apply access control lists. 1. Telnet to routers R1 and R2 and add both access control lists and apply them on to the proper interfaces in the proper direction to protect the servers connected to that interface. Step 4: Verify proper operation of the access control lists. 1. From PC1 and PC2 ping all of the servers in the topology. Record the results. 2. From PC1 and PC2 access the following web pages: www.web1a.com, www.web1b.com, www.web2a.com, and www.web2b.com. Record the results. 3. Telnet to routers R1 and R2 and document the final cofiguration using “show runningconfig”, and “show access-lists”.

Test 1. Expected Results and Success Criteria: List all of the expected results. Specific criteria that must be met for the test to be considered a success should be listed. An example of specific criteria is: “A requirement that ping response times cannot exceed 100 ms.” 1. Prior to configuring access control lists both PCs can ping all servers and access all web pages. 2. After configuring access control lists, PC2, representing a legitimate inside user, can not ping any server but can access all web pages. 3. After configuring access control lists, PC1, representing a PC set up to maintain switch configurations, can ping servers in its own VLAN, can not ping other servers, and can not access any web pages.

4. Test 1. Results and Conclusions Record the results of the tests and the conclusions that can be drawn from the results.

Appendix Record the starting configurations, any modifications, log file or command output, and any other relevant documentation.

Stadium Drive - Michigan Avenue Presentation Final.pdf ...